Windows Defender RoguePlanet Zero-Day (CVE-2026-47281): SYSTEM Privilege Escalation via Visual Studio Code, Actively Exploited

nick

Windows Defender RoguePlanet Zero-Day (CVE-2026-47281): SYSTEM Privilege Escalation via Visual Studio Code, Actively Exploited

by

A zero-day privilege escalation vulnerability in Microsoft Defender / Visual Studio Code, tracked as CVE-2026-47281 (CVSS 9.6) and dubbed “RoguePlanet,” grants attackers SYSTEM-level access on affected systems. The vulnerability was patched in Microsoft’s June 2026 Patch Tuesday alongside 197 other vulnerabilities. Active exploitation has been confirmed.

What Is the Vulnerability?

CVE-2026-47281 is an improper input validation vulnerability (CWE-20) in Visual Studio Code that allows an unauthorised attacker to elevate privileges over a network. The vulnerability affects the interaction between Visual Studio Code and Windows Defender components, enabling an attacker who has gained initial code execution on a system to escalate to SYSTEM — the highest privilege level on Windows.

This is the second Windows Defender zero-day disclosed this year, following the Defender engine vulnerabilities (CVE-2026-41091, CVE-2026-45584, CVE-2026-45498) covered in May reports. The successive Defender vulnerabilities indicate that both security researchers and attackers are intensively targeting the antimalware attack surface.

  • CVSS v3.1 Score: 9.6 (Critical)
  • CWE: CWE-20 (Improper Input Validation)
  • Attack Vector: Network
  • Status: Zero-day — actively exploited prior to patch

Which Versions Are Affected?

  • Visual Studio Code and Windows Defender — all versions prior to the June 2026 Patch Tuesday update

Is It Being Exploited in the Wild?

Yes — confirmed active exploitation. Microsoft classified this as a zero-day, meaning it was exploited before the patch was available. Apply the June 2026 Patch Tuesday update immediately.

What Is the Fix?

Apply the June 2026 Patch Tuesday updates via Windows Update. The fix is included in the cumulative update. Ensure Visual Studio Code is also updated to the latest version.

Recommendations

Apply Patch Tuesday updates today. Actively exploited zero-day with SYSTEM escalation demands immediate patching. Prioritise systems with Visual Studio Code installed and systems where Defender is the primary antimalware.

References

This advisory was first covered in the broader Vulnerability Intelligence Report — June 10, 2026.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!